As 2017 draws to its inevitable close the year has seen a number of trends develop. Amongst ransomware’s perpetual rise and crypto jackers, one of this year’s greatest talking points is the leaking of private data. Whether this is due to hackers abusing exploits or purely human error it can have major implications for those involved moving forward. With only just more than a week left in the year, another leak potentially affecting 123 million American households has surfaced.
In this instance, Alteryx, US data analytics provider has left an Amazon S3 storage bucket exposed online. Thus by doing so leaking the sensitive details of over 123 million US households in the process. This can be seen as yet another blow to user’s privacy and the privacy rights entailed. The discovery was made by researchers at US cyber-security firm UpGuard. The firm had previously discovered similar leaks involving Amazon S3 storage buckets containing sensitive NSA files and another containing data from the US Army's CENTCOM and PACOM divisions.
The Exposed Alteryx Database
As with the leak of both the NSA files and the US Army's CENTCOM and PACOM divisions, the exposed Alteryx database seems to be as a result of database administrators leaving the server's content exposed to anyone that was accessing an easy-discoverable URL while logged into an Amazon account. Exposed data included massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency. Added to this data belonging to the US Census Bureau, providing data sets from both Experian and the 2010 US Census. While the information pertaining to the census is generally of little value as it is in the public record, the same cannot be said for the data belonging to Experian.
Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data. Anyone motivated to do a little digging would have access to exposed data revealing billions of personally identifying details and data points from virtually every American household. The jeopardized data includes home addresses and contact information, to mortgage ownership and financial histories, to a very specific analysis of purchasing behavior. The exposed data constitutes a remarkably invasive glimpse into the lives of American consumers. This information can be misused in numerous ways excluding the obvious use for fraud that can ruin credit histories not to mention the lives of those affected. Other methods of abuse include spamming and unwanted direct marketing to organized fraud techniques like “phantom debt collection”.
How the leak was Discovered
UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3cloud storage bucket located at the subdomain “alteryxdownload”. The discovery was made on October 6, 2017, with the discovery of the sensitive data occurring shortly after. Normally the default security setting for S3 buckets would allow only specifically authorized users to access the contents. In this instance, the bucket was configured via permission settings to which would allow any AWS “Authenticated Users” to download its stored data. While that may appear secure at first an AWS “authenticated user” is “any user that has an Amazon AWS account,” with the service already having over a million users and registration for the service is free.
Included in the data bank were Alteryx software releases and development files. These development files would be applicable to applications produced by the data firm for its analytics customers. While potentially damaging to Alteryx other files discovered are far more significant that appear to originate from beyond Alteryx. The biggest file is titled “ConsumerView_10_2013,” is stored with the extension .yxdb. Such an extension had been seen previously by UpGuard researchers when the personal details of 198 million American voters, compiled in a data set by a data firm used by the Republican National Committee was leaked. The extension is used by Alteryx as a database file format used for large dataset analytics. The “ConsumerView_10_2013,” file contains over 123 million rows, each one signifying a different American household. The 123 million contain roughly 3.5 billion fields covering a wide range of information including consumer behavior and spending patterns.
The Significance of the Data
When both sets of data are taken, both the census data and the ConsumerView data, any party with nefarious intentions have a unique insight into American households including their financial and private lives. Experian argues that the keeping and tracking of such data is done in an attempt to “[provide] consumers with notice and choice when it comes to how their data is being used,” using “careful consideration of consumer privacy” and “values-based practices that govern the acquisition, compilation and sale of our consumer data,” is done for the benefit of users and credit regulators. However, once all this data is exposed online surely such goals are rendered pointless at best and dangerous at worse.
The exposure highlights the dangers of third parties handling sensitive information. Such dangers are regarded by many as one of the biggest problems facing security in the IT sector. As has been seen in the numerous data leaks occurring this year alone, enterprises lack the ability to even assess the security postures of external vendors. Placing such data at risk despite regulations dictating that such data needs to be protected. This does not even consider the ethical considerations of collecting and concentrating the publicly and commercially-gleaned data of millions of users whether in America or the rest of the globe. Such data having been exposed enables users to become victims of fraud and identity theft. That user’s mortgage details were exposed is unacceptable. This is particularly true in light that ownership and mortgage status are often questions asked to verify identity at banking institutions.
Having your spending patterns and behaviors exposed online by institutions who are bound by regulations geared to protecting such data will result in far more than bad publicity. With governments globally looking to crack down on such oversights hefty fines and legal costs are sure to follow.